Social Engineering Counter Measures

Types and Countermeasures of Social Engineering

Andrew Wellman

Abstract

“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted” (Mitnick, 2005). This is a statement by Kevin Mitnick, one of the most prolific hackers in the world. Kevin Mitnick did not spend his time buying expensive equipment and spend days attempting to hack agencies by computer. Kevin Mitnick hacked into a variety of country’s most powerful agencies by conning their employees. Being able to conn employees and access data is an example of Social Engineering. “Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading a victim to perform some action” (Graves, 2007) There are two distinct types of social engineering and important countermeasures to take in order to keep oneself from becoming a victim. The two common types of attacks regarding social engineering are human based and computer based.

Human Based

Most human based attacks involves some type of impersonation. Impersonation is pretending to be someone you are not. Impersonation can include but is not limited to posing as tech support, posing as an employee when calling tech support, posing as a repair man and posing as an authority figure. One type of human based attack that may not require impersonation to access needed information is dumpster diving. Posing as tech support or calling tech support is easy way to access information. The hacker may pose as an employee and call tech support and explain that he is having trouble logging into the system. Tech supports are trained to help users and will often give out passwords and other information. A hacker may pose as tech...